Security Practicum: Essential Home Wireless Security Practices

This article is aimed at covering the major techniques for reducing your WLAN' …

Introduction

802.11b networks are proliferating like mad. Even though faster wireless networks are now available, 802.11b offers users what they want at a reasonably low price. While the high throughput of other technologies is attractive to large Local Area Networks (LANs) and people wanting to use wireless for high-end home entertainment purposes, 802.11b's 11Mbit/sec is more than enough to hook up a handful of clients in your home to the Wide Area Network (WAN), which in most cases is simply the Internet.

However, as we have seen in War Flying San Diego and War Flying Silicon Valley, many users are not taking adequate steps to secure their 802.11b networks. This guide is going to give a practical overview of the methods you can use to lock down your network as tightly as possible without purchasing additional software or setting up Virtual Private Network (VPN) support. If you want a broader overview of 802.11x technology and its security issues, check out our Wireless Security Blackpaper. It's a great article that covers the hows and whys of wireless security issues, and anyone in IT should read that paper before implementing a wireless solution. This article, however, will be focused on the home/small network.

Before we get started, verify that your wireless LAN is in fact working, and then check to make sure that you're running the latest firmware. Many of the earliest 802.11b routers came with lax security features and extremely weak security key options, but a simple update will probably provide you with the options you need to begin to secure your wireless LAN. And we should note, as well, that keeping up with firmware is always a good idea, because security bugs tend to pop up from time to time, anyway.

Note: 802.11a consumer-end security is, for the most part, the same as that exhibited in 802.11b. Furthermore, depending on your hardware manufacturer, you may or may not be able to follow all of these practices.

Basic strategy: don't be an easy target, and know what you want to secure

802.11x is not without its flaws. If someone wants on your wireless network bad enough, they'll probably get on one way or another. What your average home user needs to do is simply not provide fertile stomping grounds for people who are out for an easy target. You might wonder why anyone would even want access to your network. In most scenarios, your wireless network provides perpetrators with two things: 1) access to your local network (the computers connected up in your house), which if unsecured means access to your data, and better yet, 2) access to the 'net. 11Mbits/sec isn't a bad little heist for someone who wants to spend all night downloading pr0n from your connection, or perhaps they'd rather mail bomb the government or something. It's no matter--just don't be an easy target. We're gonna help.

Thus, strictly speaking, there are two things that a user will want to secure: 1) client-to-router traffic, and 2) cracker-to-router access to the LAN/Internet.

Client-to-Router concerns

In this first instance, your concern is that you don't want someone to be able to see (aka, sniff) the data that travels from your legitimate clients to your wireless router (e.g., e-mail, URLs, your passwords that are plaintext, etc.). The simple fact of the matter is that if a cracker sits within range of your network long enough, with the right tools they will break your basic encryption (if you even have it turned on, which most people apparently do not). Without purchasing rather expensive software, all of the traffic that flows between your wireless laptop (for example) and your router can be seen by a cracker with minimal effort. Therefore, if you work with extremely sensitive data, doing so over a wireless connection is dangerous, unless you are using safe tools. For example, if you want to administrate your UNIX servers via a terminal connection, using SSH makes WEP security irrelevant, since traffic is encrypted via SSH, and SSH is rather strong.

Of course, corporate entities may enlist the help of commercial Virtual Private Network (VPN) software to secure such traffic. See the Wireless Security Blackpaper for more information.

Cracker-to-Router Access to the LAN/Internet

The second issue involves officially becoming part of your network, and enjoying all which that may entail--including free access to the net, any open shares you might have, etc. For most users, this is the issue to worry about. Your average war driver isn't looking to crack into your super secret anime collection. Rather, they want free pipe. In this article, we're going to address both concerns. To keep things clear, we've divided the article into three parts: (1) Lock down must-dos, (2) Additional security options, and (3) Little tricks.

Ken Fisher
Ken is the founder & Editor-in-Chief of Ars Technica. A veteran of the IT industry and a scholar of antiquity, Ken studies the emergence of intellectual property regimes and their effects on culture and innovation. Emailken@arstechnica.com//Twitter@kenfisher